Digital signature generating/verifying method and system using public key encryption

ABSTRACT

A digital signature generating/verifying method using a public key encryption scheme which ensures high security, reduction in length of the digital signature and independency of the length of the digital signature on that the order of a base point. In generating a digital signature, a first hash value (e) satisfying a condition that e=H(M) is determined for a given message (M) by using a hash function (H), a numerical value (x) is obtained from translation of a random number, a hash value (r) satisfying a condition that r=h(x) is determined by using a hash function (h) whose output value is shorter than that of the first hash function (H), and the digital signature is generated by using the hash values (e) and (r) as determined. For verification of an inputted digital signature, the hash value (e) satisfying the condition that e=H(M) is determined, and for a numerical value (x) obtained from arithmetic operation of a public key (Q), a base point (P) and the inputted digital signature (r, s), a hash value (r&#39;) satisfying a condition that r&#39;=h(x) on the basis of the hash value (re), the digital signature (r, s), the base point (P) and the public key (Q) by using a hash function (h) whose output value is shorter than that of the first hash function (H). The hash value (r&#39;) is then compared with a tally (r) of the inputted digital signature to thereby verify the inputted digital signature.

BACKGROUND OF THE INVENTION

The present invention relates to a method and a system for generatingand/or verifying a digital signature by using a public key encryptionmethod for securing the security in a computer network.

The digital signature technology for imparting electric documents or thelike for electronic comments or transactions with a function equivalentto that of a conventional seal (hanko in Japanese) promises highefficiency utilization of computer-network system. However, with theconventional electronic mail encryption technology (also known asPrivacy Enhanced Mail or PEM in abbreviation), it is impossible toprocess more than one digital signature for a single enhanced mail. Inthis conjunction, in the electronic commerce fields, it is expected inthe not-so-distant future that the electronic document such as messageand the like affixed with a number of digital signatures including notonly the digital signature of a purchaser but also those of adistributor, salesman and/or monetary business-man will be handled.Under the circumstances, there arises a demand for the multiple digitalsignature technology which allows the electronic documents affixed witha plurality of digital signatures to be processed. In this conjunction,it is noted that a person receiving an electronic document affixed witha plurality of digital signatures will be forced to verify theauthenticity of plural or N digital signatures written by other personsbefore writing or generating his or her own single digital signature.Thus, in order to enhance the availability of the digital signaturefacility in the computer network system, it will be required to increasethe speed for verification of the plural (N) digital signatures.Besides, it is conceivable that in the electronic commerces, there is apossibility that comments may be added by a plurality of persons in thecourse of processing the electronic document.

For having better understanding of the invention, description will firstbe made in some detail of the technical background of the invention. Asa typical one of the digital signature techniques known heretofore,there may be mentioned the public-key cryptography elliptic curve systemdisclosed in J. Koeller, A. J. Menezes, M. Qu and S. A. Vanstone:“Standard for RSA, Diffie-Hellman and Related Public-Key CryptographyElliptic Curve Systems (Draft 8)” in “IEEE P1363 Standard” published bythe IEEE, May 3, 1996 and May 14, 1996, respectively.

FIG. 9 is a schematic diagram showing generally a configuration of acomputer network system in which the techniques disclosed in theabove-mentioned literatures are adopted.

Referring to FIG. 9, there are connected to a network 1001 a systemmanager's computer 1002, a user A's computer 1003 and a user B'scomputer 1004 for mutual communication.

Operations of the individual units shown in FIG. 9 will be describedbelow.

System Setup

The system manager's computer 1002 is in charge of generating anelliptic curve (E) 1006. Subsequently, a base point (also referred to asthe system key) (P) 1007 of the order (n) 1008 is generated andregistered in a public file 1005.

Key Generation

A key generating function module 1011 incorporated in the user A'scomputer 1003 is designed to execute the processing steps which will bementioned below.

Step 1: In an interval [2, n−2], an integer d_(A) is selected at randomas a private key.

Step 2: A key Q_(A) is computed in accordance with Q_(A)=d_(A)P.

Step 3: The key (Q_(A)) 1015 is opened to the public as the public key.More specifically, the public key (Q_(A)) 1015 is transmitted togetherwith the identifier name of the user A to the system manager's computer1002 via the network 1001, whereon the identifier name of the user A iswritten in the public file 1005 at a column 1009 for the user A's namewith the value of the public key (Q_(A)) 1015 being written in a column1010 for the public key Q_(A).

Step 4: In the user A's computer 1003, the value of the private key(d_(A)) 1014 is held as the private key of the user A.

Digital Signature Generation Process

A digital signature generating function module 1033 incorporated in theuser A's computer 1003 is designed to execute the processing stepsmentioned below.

Step 1: Message (M) 1016 is received.

Step 2: Hash value e=H(M) is computed by using a hash function (H) 1028.

Step 3: Random number k is selected from the interval [2, n−2] by usinga random number generation function 1029.

Step 4: Point kP=(x, y) is computed by a so-called “scalarmultiplication on elliptic curve (E)” 1030.

Step 5: A first tally r given by r=x+e (mod n) is determined inaccordance with the modular computation “r=x+e (mod n)” 1031.

Step 6: A private key (d_(A)) 1017 is inputted to modular computationprocess “s=k−d_(A)r (mod n)” 1032 for thereby determining a second tallys (=k−d_(A)r (mod n)).

Step 7: A message M 1016 and the digital signature (r, s) 1019 are sentto the user B's computer 1004 via the network 1001.

As the parameters required for the computations performed by the digitalsignature generating function module 1033, the elliptic curve (E) 1006,the base point which may also be referred to system key (P) 1007 and theorder (n) 1008 registered in the public file 1005 held by the systemmanager's computer 1002 are referenced.

Digital Signature Verification Process

A digital signature verifying function module 1023 incorporated in theuser B's computer 1004 is designed to execute the processing stepsmentioned below.

Step 1: The user A's public key (Q_(A)) 1010 is fetched from the publicfile 1005 held by the system manager's computer 1002 to be set as apublic key (Q_(A)) 1020. Additionally, the base point (system key) (P)1007 is fetched from the public file 1005 held by the system manager'scomputer 1002 to be set as the base point (P) 1007B. Furthermore, thedigital signature (r, s) 1019 sent from the user A's computer 1003 isreceived to be set as a digital signature (r, s) 1021. Besides, themessage (M) 1016 sent from the user A's computer 1003 is received to beset as a message (M) 1022.

Step 2: The base point or system key (P) 1007B, the public key (Q_(A))1020, the digital signature (r, s) 1021 are inputted to the process“scalar multiplication on elliptic curve (E)” and “addition” 1024 tothereby carry out the calculation “(x, y)=sP+rQ_(A)”.

Step 3: The message M 1022 is inputted into the hash function H 1025 tothereby compute the hash value e=H(M).

Step 4: Through the computation process “r′=x+e (mod n)” 1026, a firsttally “r′=x+e (mod n)” is determined.

Step 5: When the decision “r=r′?” 1027 results in r=r′ or YES, data“authenticated” is outputted, and if otherwise, “not authenticated” isoutputted.

As the parameters required for the computations performed by the digitalsignature verifying function module 1023, the elliptic curve (E) 1006,the base point or system key (P) 1007 and the order (n) 1008 asregistered in the public file 1005 held by the system manager's computer1002 are referenced.

Through the processes described above, the digital signature (r, s)functions as an electronic seal (i.e., seal or “hanko” impressedelectronically by the user A for the message M). To say in another way,the user B can hold the set of the message M and the digital signature(r, s) as the evidence indicating that the message M is issued by theuser A. Further, although the user B can recognize the authenticity ofthe set of the message M and the digital signature (r, s), the user Bcan not originally generate the set of the message M and the digitalsignature (r, s). For this reason, the user A can not negate later onthe fact that the digital signature (r, s) has been generated by theuser A.

However, the conventional system described above suffers the problemswhich will be elucidated below.

(1) Insufficient Proof for Security

In general, generation of a digital signature by a person having noprivate key provides a problem. If otherwise, the authenticity of thedigital signature can not be ensured, degrading the creditability of theelectronic commerce and rendering it impractical.

In the conventional system described above, it is required to providethat such tally combination (r, s) can not be generated which allows theoutput “authenticated” to be generated in the course of the digitalsignature verification processing without knowing the private key d_(A).However, the conventional system provides no proof to this end.Parenthetically, it should be mentioned that the problem mentioned abovehas been pointed out in conjunction with ElGamal signature technology onwhich the conventional system described above is based.

(2) Long bit length of the digital signature

Now, assuming that relevant parameters have respective bit lengths asfollows:

(a) The bit length representing the order n of the base point P is l_(n)bits (e.g. 160 bits).

(b) The bit length representing the output of the hash function H isl_(H) bits (e.g. 160 bits).

(c) The bit length of the private key d_(A) is l_(d) bits (e.g. 160bits).

The output value of the hash function H given by of 160 bits isconsidered as being necessary in view of the fact that the hash functionH has a collision-free property. In this conjunction, it is contemplatedwith the phrase “collision-free property” to mean that difficulty isencountered in finding two different input values which result in a sameoutput value in view of the computational overhead. By way of example,in the case where the output value of a hash function H is 160 bits, itwill be possible to find two different input values which results in asame output value by carrying out an attack method known as “Paradox ofBirthday” a number of times on the order of 2⁸⁰ on an average, which ishowever difficult in view of the computational overhead.

Further, the bit length of 160 bits for the order n of the base point(system key) is considered as being necessary because of difficulty ofsolving the discrete logarithm problem relevant to the addition on theelliptic curve.

In this case, when the length of the tally r of the digital signature(r, s) is of l_(n) bits with the length of the tally s being of l_(n)bits, then the total bit number amounts to (l_(n)+l_(n)) bits (e.g. 320bits).

(3) The length of the digital signature is determined in dependence onthe length of the parameter n of the elliptic curve. Consequently, whenthe length of the parameter n is increased for ensuring the security ofthe digital signature more positively in the future, the length of thedigital signature increases correspondingly. Parenthetically, inconjunction with RSA and EES, it is noted that the length of theparameter n is unavoidably increased because of enhancement of thedecryption method and the computer performance promoted as a function ofthe time lapse. The same will also apply equally to the ellipticalencryption in the future. To say in another way, it is expected that thelength of the parameter n will necessarily increase as the decryptiontechnology and the computer performance are enhanced as a function oftime lapse. Such being the circumstances, it is desirable in conjunctionwith the elliptic encryption to realize the digital signature which doesnot depend on the length of the order n of the base point or system keyP.

SUMMARY OF THE INVENTION

In the light of the state of the art described above, it is an object ofthe present invention to provide a digital signature generating and/orverifying method and system using a public key encryption scheme withhigh security as well as a recording medium for storing a program forcarrying out the method.

Another object of the present invention is to provide a digitalsignature generating and/or verifying method and system using a publickey encryption scheme, which allows the bit length of the digitalsignature to be shortened, and a recording medium for storing a programrealizing the same.

Yet another object of the present invention is to provide a digitalsignature generating/verifying method and system which are based on theuse of a public key encryption method in which the length of the digitalsignature is made to be independent of the length of the order of thebase point, and a recording medium employed for storing a programrealizing the same.

In view of the above and other objects which will become apparent as thedescription proceeds, there is provided according to a first genericaspect of the present invention a digital signature generating/verifyingmethod of generating and/or verifying a digital signature authenticatingelectronically a signature affixed to a given document or message (M) byresorting to a public key encryption scheme. The digital signaturegenerating/verifying method includes processing steps of determining forthe given document or message (M) a hash value (e) satisfying acondition that e=H(M) by using a hash function (H), and determining fora numerical value (x) derived from translation of a random number a hashvalue (r) satisfying a condition that r=h(x) by using a hash function(h) whose output value is shorter than that of the first-mentioned hashfunction (H).

Further, according to another general aspect of the present invention,there is provided a digital signature generating and/or verifying methodof generating or verifying a multiple digital signature authenticatingelectronically signatures affixed to document such as messages and/orcomments (M_(i)) as created and/or added sequentially by N users i(where i=1, . . . , N) by using a public key encryption scheme. Thedigital signature generating/verifying method includes the steps of (a)determining for a given one of the messages (M_(i)) a hash value (e_(i))satisfying a condition that e_(i)=H(M_(i)) by using a hash function (H),(b) determining for a numerical value (x_(i)) obtained from translationof a random number a hash value (r_(i)) satisfying a condition thatr_(i)=h(x_(i)) by using a hash function (h) whose output value isshorter than that of the first-mentioned hash function (H) and (c)executing the above-mentioned steps (a) and (b) for each of the users i(where i=1, . . . , N).

According to another general aspect of the present invention, there isprovided a digital signature generating/verifying system for generatinga digital signature authenticating electronically a signature affixed toa given message (M) by resorting to a public key encryption scheme. Thedigital signature generating/verifying system is composed of aprocessing unit for determining for the message (M) a hash value (e)satisfying a condition that e=H(M) by using a hash function (H), aprocessing unit or module for determining for a numerical value (x)obtained from translation of a random number a hash value (r) satisfyinga condition that r=h(x) by using a hash function (h) whose output valueis shorter than that of the hash function (H).

Furthermore, according to another general aspect of the presentinvention, there is provided a digital signature generating and/orverifying system for generating and/or verifying a multiple digitalsignature authenticating electronically signatures affixed to documentsuch as messages and/or comments (M_(i)) as created and/or addedsequentially by N users i (where i=1, . . . , N) by resorting to the useof a public key encryption scheme, wherein the digital signaturegenerating/verifying system includes a module for determining for agiven one of the messages (M_(i)) a hash value (e_(i)) satisfying acondition that e_(i)=H(M_(i)) by using a hash function (H), a module fordetermining for a numerical value (x_(i)) derived from translation of arandom number a hash value (r_(i)) satisfying a condition thatr_(i)=h(x_(i)) by using a hash function (h) whose output value isshorter than that of the first-mentioned hash function (H), and a modulefor validating the above-mentioned modules for each of the users i(where i=1, . . . , N).

The above and other objects, features and attendant advantages of thepresent invention will more easily be understood by reading thefollowing description of the preferred embodiments thereof taken, onlyby way of example, in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

In the course of the description which follows, reference is made to thedrawings, in which:

FIG. 1 is a schematic block diagram showing generally a systemconfiguration according to an exemplary embodiment of the presentinvention;

FIG. 2A is a block diagram showing a system configuration of a singledigital signature generating/verifying unit executed by a user A'spersonal computer shown in FIG. 1;

FIG. 2B is a flow chart for illustrating a processing involved in thesingle digital signature generation algorithm executed by the user A'spersonal computer in conjunction with the system shown in FIG. 1;

FIG. 3 is a flow chart for illustrating a processing for a singledigital signature verification processing or algorithm executed by auser B's personal computer in the system shown in FIG. 1;

FIG. 4 is a flow chart for illustrating a processing for a duple digitalsignature generation processing or algorithm executed by the user B'spersonal computer in the system shown in FIG. 1;

FIG. 5 is a flow chart for illustrating a processing for a duple digitalsignature verification processing or algorithm executed by a user C'spersonal computer in the system shown in FIG. 1;

FIG. 6 is a block diagram showing a computer network configurationaccording to another embodiment of the invention;

FIG. 7 is a flow chart for illustrating a processing for a tripledigital signature generation algorithm executed by the user C's personalcomputer shown in FIG. 6;

FIG. 8 is a flow chart for illustrating a processing for a tripledigital signature verification algorithm executed by a user D's personalcomputer in the system shown in FIG. 6; and

FIG. 9 is a schematic diagram showing generally a configuration of aconventional computer network system designed for transferringelectronic documents affixed with digital signatures known heretofore.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Now, the present invention will be described in detail in conjunctionwith what is presently considered as preferred or typical embodimentsthereof by reference to the drawings. In the following description, likereference characters designate like or corresponding parts throughoutthe several views. Also in the following description, it is to beunderstood that such terms as “document”, “comment”, “message” and thelike are words of convenience and are not to be construed as limitingterms.

FIG. 1 is a schematic block diagram showing generally a systemconfiguration according to an exemplary embodiment of the invention.Referring to the figure, there are connected to a network 101, a userA's personal computer 102, a user B's personal computer 103 and a userC's personal computer 104. In the user A's personal computer 102, a userA's signature (r₁, s₁) 111 is generated for a user A's created document(M₁) 110 by using a base point which may also be referred to as thesystem key (P) 117 and a user A's private key (d₁) 118 in accordancewith a single digital signature generation algorithm (AL₁) 105 to besubsequently sent to the user B's personal computer 103 via the network101. In this conjunction, “r₁” and “s₁” of the user A's signature (r₁,s₁) 111 are defined as a first tally and a second tally, respectively.In the user B's personal computer 103, authenticity of the user A'sissued document 109 composed of a set of the user A's created document(M₁) 110 and the user A's signature (r₁, s₁) 111 is verified by using abase point or system key (P) 119 and a user A's public key (Q₁) 120 inaccordance with a single digital signature verification algorithm (AL₁′)106 and at the same time, a user A's and B's multiple signature (r₁, r₂,s²) 113 is generated for the user A's created document (M₁) (i.e.,document M₁ created by user A) 115, the user A's signature (r₁, s₁) 111and a user B's addition such as comment (M₂) 114 by using the base point(P) 119 and the user B's private key (d₂) 121 in accordance with a dupledigital signature generation algorithm (AL₂) 107 to be subsequently sentto the user C's personal computer 104 via the network 101. In the userC's personal computer 104, authenticity of the user B's issued document112 composed of the set of the user A's created document (M₁) 115 andthe user B's addition or comment (M₂) 114 as well as the user A's andB's multiple (duple) signature (r₁, r₂, s₂) 113 is verified by using thebase point (P) 122, a user A's public key (Q₁) 123 and a user B's publickey (Q₂) 124 in accordance with a duple digital signature verificationalgorithm (AL₂′) 108.

FIG. 2A is a block diagram showing a system configuration of the singledigital signature generation/verification system shown in FIG. 1 andFIG. 2B is a flow chart for illustrating the processing for the singledigital signature generation algorithm (AL₁) 105 mentioned previously inconjunction with the system shown in FIG. 1. Description will now bemade by reference to FIGS. 2A and 2B.

The system configuration shown in FIG. 2A bears correspondence to theone shown in FIG. 9. It can be seen that the former differs from thelatter in respect to the algorithm in the digital signature generatingblocks 1031 and 1032, the algorithm in the digital signature verifyingblock 1026 and the output algorithm in the block 1024.

Single Digital Signature Generation Algorithm (AL₁) 105

Step 201: Processing for executing this algorithm (AL₁) 105 is started.

Step 202: The user A's created document (M₁) 110, the base point (P) 117and the user A's private key (d1) 118 are inputted.

Step 203: A random number k₁ of l_(H) bits is generated.

Step 204: Computation is performed for determining k₁P=(x₁, y₁).

Step 205: Hash value r₁ (=h(x₁)) of l_(H)/2 bits is computed.

Step 206: Hash value e₁ (=H(M₁)) of l_(H) bits is computed.

Step 207: Computation is performed for determining a tally s₁ inaccordance with s₁=k₁+d₁(e₁+r₁) (mod n).

Step 208: value of the single digital signature (r₁, s₁) 111 isoutputted.

Step 209: The processing is terminated.

The single digital signature generated through the processing describedabove corresponds to an electronic image of a seal (“hanko” in Japanese)impressed on the message M₁ by the user A. In other words, the singledigital signature (r₁, s₁) can be generated only when the private key d₁equivalent to the seal kept only by the user A is used for the messageM₁ as furnished.

FIG. 3 is a flow chart for illustrating a processing for the singledigital signature verification algorithm (AL₁′) 106 in conjunction withthe system shown in FIG. 1. Description will now be made by reference toFIG. 3.

Single Digital Signature Verification Algorithm (AL₁′) 106

Step 301: Processing is started.

Step 302: The user A's created document (M₁) 110 and the single digitalsignature (r₁, s₁) 111 is inputted.

Step 303: The system key (P) 119 and the public key (Q₁) 120 areinputted.

Step 304: Hash value e₁=H(M₁) of l_(H) bits is computed.

Step 305: Computation is performed for determining a first point on anelliptic curve, i.e., a first elliptic point (x₁, y₁)=s₁P−(e₁+r₁)Q₁.

Step 306: A numeric value r₁′=h(x₁) is computed.

Step 307: When the condition that r₁=r₁′ is met, the processing proceedsto a step 308 while if otherwise to a step 310.

Step 308: A signal or data “authenticated” is outputted. Step 309: Thefirst elliptic point (x₁, y₁) is outputted, whereon the processingproceeds to a step 311.

Step 310: “Not authenticated” is outputted.

Step 311: The processing is then terminated.

Through the processing described above, it can be confirmed whether ornot the single or simple digital signature (r₁, s₁) is a correctsignature, i.e., whether or not the single digital signature (r₁, s₁)corresponds to the correct or true seal image. More specifically, uponreception of the message M₁ and the single or simple digital signature(r₁, s₁), the user B (or user B's computer) checks to confirm theauthenticity of the digital signature by referencing the public key Q₁which corresponds to the registered seal (“hanko”).

FIG. 4 is a flow chart for illustrating a processing for the dupledigital signature generation algorithm (AL₂) 107 in conjunction with thesystem shown in FIG. 1. Description will now be made by reference toFIG. 4.

Duple Digital Signature Generation Algorithm (AL₂) 107

Step 401: Processing is started.

Step 402: User B's addition or comment (M₂) 114, the base point (orsystem key) (P) 119 and the user B's private key (d₂) 121 are inputted.

Step 403: The first point (x₁, y₁) on the elliptic curve outputted inthe step 309 is fetched.

Step 404: A random number k₂ of l_(H) bits is generated.

Step 405: A point (x, y)=k₂P is computed.

Step 406: A second point (x₂, y₂)=(x₁, y₁)+(x, y) is computed.

Step 407: Hash value r₂=h(x₂) of l_(H)/2 bits is computed.

Step 408: Hash value e₂=H(M₂) of l_(H) bits is computed.

Step 409: Computation for determining a tally given bys₂=s₁+k₂+d₂(e₂+r₁+r₂) (mod n) is performed.

Step 410: Value of the duple digital signature (r₁, r₂, s₂) 113 isoutputted.

Step 411: The processing comes to an end.

The duple digital signature (r₁, r₂, s₂) generated through theprocessing described above corresponds to the seal image impressed on awhole document prepared by adding the user B's comment or addition (M₂)114 to the message (M₁) 110 created by the user A and affixed with thesingle digital signature (r₁, s₁) 111. More specifically, when themessage M₁ created by other person (user A) and affixed with the otherperson's single digital signature or the user A's single digitalsignature (r₁, s₁) in the case of the illustrated example is received bythe user B and when the user B wants to add the comment M₂, the dupledigital signature (r₁, r₂, s₂) is generated, which indicates that theseal is impressed for the whole document by using the private key d₂corresponding to the seal which only the user B possesses.

FIG. 5 is a flow chart for illustrating a processing for a duple digitalsignature verification algorithm (AL₂′) 108 in conjunction with thesystem shown in FIG. 1. Description will now be made by reference toFIG. 5.

Duple Digital Signature Verification Algorithm (AL₂′) 108

Step 501: Processing is started.

Step 502: The user A's created document (M₁) 115, the user B's addedcomment or addition (M₂) 114, and the duple digital signature (r₁, r₂,s₂) 113 are inputted.

Step 503: The base point or system key (P) 122, the user A's public key(Q₁) 123 and the user B's public key (Q₂) 124 are inputted.

Step 504: A hash value e₁=H(M₁) of l_(H) bits is computed.

Step 505: A hash value e₂=H(M₂) of As bits is computed.

Step 506: A second elliptic point given by (x₂,y₂)=s₂P−(e₁+r₁)Q₁−(e₂+r₁+r₂)Q₂ is computed.

Step 507: A numerical value r₂′=h(x₂) is computed.

Step 508: When r₂=r₂′, the processing proceeds to a step 509, and ifotherwise, to a step 511.

Step 509: A signal “authenticated” is outputted.

Step 510: The second elliptic point (x₂, y₂) is outputted, whereon theprocessing proceeds to a step 512.

Step 511: A signal or data “not authenticated” is outputted.

Step 512: The processing comes to an end.

Through the processing described above, it is confirmed whether or notthe duple digital signature (r₁, r₂, s₂) is a correct signature, i.e.,whether or not the duple digital signature (r₁, r₂, s₂) corresponds tothe correct or true seal image. More specifically, upon reception of themessage M₁, message M₂ and the duple digital signature (r₁, r₂, s₂), theuser C checks to confirm that the digital signature is madeauthentically by the very users A and B by referencing the public keysQ₁ and Q₂ which correspond to the registered seals. In that case, theuser C can confirm the authenticity of the digital signature withoutusing either the private key d₁ corresponding to the user A's seal orthe private key d₂ corresponding to the user B's seal.

In the foregoing, generation of the duple digital signature by using twoprivate keys d₁ and d₂ has been described as an exemplary embodiment ofthe invention. In this conjunction, it should be mentioned that theprinciple underlying the digital signature generating/verifying methoddescribed above can be extended in general for the generation of anN-tuple digital signature generated by using N private keys d₁, d₂, . .. , d_(N).

FIG. 6 is a block diagram showing a computer network configurationaccording to another embodiment of the invention on the assumption thatthe system is expanded so as to enable triple digital signatures, i.e.,N=3. Referring to the figure, there are newly connected to the network101, a user D's personal computer 606 in addition to the user A'spersonal computer 102, the user B's personal computer 103 and the userC's personal computer 104. Set up newly in the user C's personalcomputer 104 in addition to the dual digital signature verificationalgorithm (AL₂′) 108, the system key or base point (P) 122, the user A'spublic key (Q₁) 123 and the user B's public key (Q₂) 124 are a tripledigital signature generation algorithm (AL₃) 604 and a user C's privatekey (d₃) 605. The user C's personal computer 104 creates a user C'sissued document 601 and sends it to the user D's personal computer 606.The user C's issued document 601 contains newly a user C's addition orcomment (M₃) 603 and users A's, B's and C's signatures (r₁, r₂, r₃, s₃)602 in addition to the user A's created document (M₁) 613, the user B'saddition such as a comment (M₂) 614 and a user A's and B's signatures(r₁, r₂, s₂) 612. Set up in the user D's personal computer 606 are atriple digital signature verification algorithm (AL₃′) 607, a base point(P) 608, the user A's public key (Q₁) 609, the user B's public key (Q₂)610 and the user C's public key (Q₃) 611.

FIG. 7 is a flow chart for illustrating a processing for the tripledigital signature generation algorithm (AL₃) 604 executed by the userC's personal computer 104 shown in FIG. 6.

Triple Digital Signature Generation Algorithm (AL₃) 604

Step 701: Processing is started.

Step 702: The user C's addition or comment (M₃) 603, the private key(d₃) 605, the base point (P) 122 and the duple digital signature (r₁,r₂, s₂) 612 are inputted.

Step 703: Second elliptic point (x₂, y₂) outputted in the step 510 isfetched.

Step 704: A random number k₃ of l_(H) bits is generated.

Step 705: A point k₂P=(x, y) is computed.

Step 706: Coordinates (x₃, y₃)=(x₂, y₂)+(x, y) are computed.

Step 707: A hash value r₃=h(x₃) of l_(H)/2 bits is computed.

Step 708: A hash value e₃=H(M₃) of l_(H) bits is computed.

Step 709: A tally s₃=s₂+k₃+d₃(e₃+r₁+r₂+r₃) (mod n) is computed.

Step 710: Value of the triple digital signature (r₁, r₂, r₃, s₃) 602 isoutputted.

Step 411: The processing is terminated.

The triple digital signature (r₁, r₂, r₃, s₃) generated through theprocessing described above corresponds to the seal image impressed on awhole document obtained by adding the user C's comment or addition M₃ tothe messages M₁ and M₂ affixed with the users A and B's multiple digitalsignatures (r₁, r₂, s₂). More specifically, when the messages M₁ and M₂affixed with other users' multiple digital signature (i.e., the usersA's and Bs' multiple digital signatures in the case of the illustratedexample) (r₁, r₂, s₂) are received by a user (i.e., user C) and when theuser C wants to add the comment M₃, the triple digital signature (r₁,r₂, r₃, s₃) can be generated for the whole document created by the usersA and B and added with the comment M₃ by the user C only by using aprivate key d₃ corresponding to the seal which only the user Cpossesses.

FIG. 8 is a flow chart for illustrating a processing for the tripledigital signature verification algorithm (AL₃′) 607 executed by the userD's personal computer 606 in conjunction with the system shown in FIG.6. Description will now be made by reference to FIG. 8.

Triple Digital Signature Verification Algorithm (AL₃′) 607

Step 801: Processing is started.

Step 802: The user A's created document (M₁) 613, the user B's additionor comment (M₂) 614, the user C's addition or comment (M₃) 603 and thetriple digital signature (r₁, r₂, r₃, s₃) 602 is inputted.

Step 803: The base point (P) 608, the user A's public key (Q₁) 609, theuser B's public key (Q₂) 610 and the user C's public key (Q₃) 611 areinputted.

Step 804: A hash value e₁=H(M₁) of l_(H) bits is computed.

Step 805: A hash value e₂=H(M₂) of l_(H) bits is computed.

Step 806: A hash value e₃=H(M₃) of l_(H) bits is computed.

Step 807: A third point on the elliptic curve, i.e., a third ellipticpoint (x₃, y₃)=s₃P−(e₁+r₁)Q₁−(e₂+r₁+r₂)Q₂−(e₃+r₁+r₂+r₃)Q₃ is computed.

Step 808: Tally r₃′=h(x₃) is computed.

Step 809: When r₃′=r₃, the processing proceeds to a step 810, and ifotherwise, proceeds to a step 812.

Step 810: Signal “authenticated” is outputted.

Step 811: The third elliptic point (x₃, y₃) is outputted, whereon theprocessing proceeds to a step 813.

Step 812: Signal “not authenticated” is outputted.

Step 813: The processing comes to an end.

Through the processing described above, it is confirmed whether or notthe triple digital signature (r₁, r₂, r₃, s₃) is a correct signature,i.e., whether or not the triple digital signature (r₁, r₂, r₃, s₃)corresponds to the correct or true seal image. More specifically, uponreception of the message M₁, the message M₂, the message M3 and thetriple digital signature (r₁, r₂, r₃, s₃)), the user D can check toconfirm whether or not the digital signatures have been made by the veryusers A, B and C by referencing the public keys Q₁, Q₂ and Q₃ whichcorrespond to the registered seals (“hanko”) of the users A, B and C,respectively.

The above-mentioned digital signature generation/verification method canbe expanded to the case where N is equal to or greater than “4” (four).In other words, in general, a digital signature generating/verifyingmethod for verifying electronically a multiple digital signature affixedto messages and/or comments M₁ created and/or added by N users (i=1, . .. , N) can be carried out in general as follows:

Procedure for Verifying Multiple Digital Signature by Users i (2≦i≦N)

Step 901: Processing is started.

Step 902: The (i−1) messages or comments M₁, . . . , M_(i−1) and the(i−1)-tuple digital signature (r₁, . . . , r_(i−1), s_(i−1)) issued byan immediately preceding user (i−1) are received.

Step 903: Computation of a hash value e_(k)=H(M_(k)) is repeated for theuser (i−1) starting from k=1.

Step 904: Public keys Q_(k) previously generated for satisfyingQ_(k)=d_(k)P and registered are inputted repetitionally for the user(i−1) starting from k=1.

Step 905: A point (x_(i−1), y_(i−1)) on the elliptic curve given by thefollowing expression (5) is computed.$( {x_{i - 1},y_{i - 1}} ) = {{s_{i - 1}P} - {\sum\limits_{k = 1}^{i - 1}\quad {( {e_{k} + {\sum\limits_{M = 1}^{k}\quad r_{m}}} )Q_{k}}}}$

Step 906: A hash value r_(i−1)′=h(x_(i−1)) is computed.

Step 907: When r_(i−1)=r_(i−1)′, then data or signal indicating“authenticated” is issued.

Step 908: Point (x_(i−1), y_(i−1)) on the elliptic curve is outputted,whereon the processing proceeds to a step 910.

Step 909: If r_(i−1)°r_(i−1)′, data indicating “not-authenticated” isissued.

Step 910: The processing comes to an end.

In other words, the digital signature generation/verification method forgenerating electronically the multiple digital signature affixed tomessages and/or comments (i.e., document) M_(i) created or added by Nusers (i=1, . . . , N) can be performed as follows:

Generation Procedure of Multiple Digital Signature by Users i (2≦i≦N)

Step 1001: Processing is started.

Step 1002: The point (x_(i−1), y_(i−1)) obtained at the step 908 isinputted.

Step 1003: A hash value e_(i)=H(M_(i)) is computed.

Step 1004: A random number k_(i) is generated.

Step 1005: Point k_(i)P=(x, y) is computed.

Step 1006: Point (x_(i), y_(i))=(x_(i−1), y_(i−1))+(x, y) are computed.

Step 1007: A hash value r_(i)=h(x_(i)) is computed.

Step 1008: By using private keys d_(i), the tally s_(i) given by thefollowing expression is determined.$s_{i} = {s_{i - 1} + k_{i} + {{d_{i}( {e_{i} + {\sum\limits_{k = 1}^{i}\quad r_{k}}} )}\quad ( {{mod}\quad n} )}}$

Step 1009: A set of the numerical values (r₁, . . . , r_(i), . . . ,s_(i)) is outputted as the digital signature.

The embodiments of the invention described by reference to FIGS. 3 to 5are directed to the multiple digital signature realized by making use ofthe addition defined on the elliptic curve. However, in general, suchmultiple digital signature can equally be realized by resorting tobinary operation defined on the abelian group.

By way of example, in a set Z_(n) of integers from “1” to “n−1” (where nrepresents a large prime number on the order of 1,000 bits),multiplication is defined in the world of modulo n. Then, Z_(n)represents an abelian group. The base point P (1<P<n) is selectedappropriately with the private key d and the public key Q being soselected that the following relation can apply valid:

Q=P^(d) (mod n)  (1)

In conjunction with the above expression (1), it is noted that theproblem of determining d for given values of Q, P and n represents adiscrete logarithm problem which is difficult to solve in view of thecomputational overhead when the value of n is large.

On the presumption mentioned above, the single digital signaturegeneration algorithm (AL₁) 105 described previously by reference to FIG.2, for example, is modified as follows:

Single Digital Signatures Generation Algorithm (AL₁)

Step 201: The processing is started.

Step 202: The user A's created document M₁, the base point P and theprivate key d1 are inputted.

Step 203: A random number or integer k₁ of l_(H) bits is generated.

Step 204: Computation is performed for determining x₁=P^(k) ^(₁) .

Step 205: A hash value r₁=h(x₁) of l_(H)/2 bits is computed.

Step 206: A hash value e₁=H(M₁) of l_(H) bits is computed.

Step 207: Computation is performed for determining the tallys₁=k₁+d₁(e₁+r₁) (mod n).

Step 208: Value of the single digital signature (r₁, s₁) is outputted.

Step 209: The processing comes to an end.

The single digital signature (r₁, s₁) obtained, being modified asmentioned above, brings about advantageous effects similar to thoseobtained in the digital signature generating/verifying method describedhereinbefore by reference to FIG. 2. Similar modification of themultiple digital signatures can provide similar advantages as thosementioned hereinbefore.

With the arrangements of the digital signature generating/verifyingsystems described above, there can be assured such advantageous effectsas mentioned below.

(1) It is impossible to forge a digital signature of other personwithout knowing the other person's private key. Security concerning theforgery prevention of the single digital signature (r₁, s₁) will bedemonstrated by the proposition 1 described hereinafter.

(2) The length of the digital signature can be shortened. By way ofexample, assuming that the order n is 160 bits and that the length ofthe output value of the total hash function H is 160 bits, then thelength of the single digital signature in the conventional system is 240bits. By contrast, in the case of the systems according to theinvention, the length of the single digital signature is 240 bits.Furthermore, the length of the duple digital signature in theconventional system is 640 bits, whereas in the systems according to theinvention, it is only 320 bits. In general, in the case where theN-tuple digital signature is affixed, the total length of the digitalsignatures is of 320×N bits, whereas in the system according to thepresent invention, it is 160+80×N bits. Thus, when the value of N islarge, the length of the digital signature according to the inventioncan be reduced by ca. ¼ when compared with the signature length in theconventional system. In other words, the length of the digital signaturecan be significantly reduced according to the teachings of theinvention.

(3) According to the invention, it is possible to make the length of thedigital signature be independent of the length of the order n. Assumingnow that the length of the output of the total hash function H issufficiently greater than that of the random integer k, the length ofthe tally s of the signature can be suppressed smaller than the lengthof the outputs of the total hash function H plus the length of theprivate key d. Thus, independent of the length of the order n, thelength of the N-tuple digital signatures can be made to be not greaterthan “the length of the output of the whole hash function H+private keyd+N×length of the output of the half-hash function h”.

In each of the digital signature generation/verification systemaccording to the embodiment of the invention described above, theprocessing steps of executing the digital signature generating methodcan be stored in the form of a programs in a recording medium such as aCD-ROM, a floppy-disk, a semiconductor memory or the like, wherein theprogram can be loaded and executed in a computer for generating thedigital signature for thereby generating the digital signature.Similarly, the processing steps included in the input digital signatureverifying method can be loaded in the computer for the digital signatureverification in the form of a program to be executed for verifying thedigital signature. Needless to say, the digital signaturegenerating/verifying program mentioned above may be down-loaded toclient personal computers from the server computer.

Lemma (Subsidiary Proposition) 1

It is presumed that H represents a hash function having a one-wayproperty, the algorithm AL is not difficult to execute in view of thecomputational overhead and that data generated without resorting to theuse of the hash function is inputted to thereby generate on a memory inthe course of computation the numerical values of x and y which satisfythe equation “y=H(x)”. In that presumed case, the numerical value y cannever make appearance on the memory so long as the numerical value x hasnot made appearance ever on the memory in the past.

Demonstration

Demonstration will be made by resorting to “reductio ad absurdum(reduction to absurdity)” or irrationality. It is assumed that the valuey satisfying the function y=H(x) has made appearance on the memory inprecedence to the value x. However, since the hash function H is of theone-way property, computation for the reverse transformation of the hashfunction H, i.e., x=H⁻¹(y) is impossible. Accordingly, in order togenerate the value x on the memory, it is necessary to supply externallysuch input data from which the value x capable of satisfying the hashfunction y=H(x), which however contradicts to the inputting of the datagenerated without using the hash function H.

The Demonstration of the lemma 1 is now concluded.

Proposition 1

It is presumed that the discrete logarithm problem concerning theaddition on the elliptic curve can not be solved. Additionally, it isassumed that the hash function H(•) of l_(H) bits has collision-freeproperty as well as the one-way property. Furthermore, it is presumedthat the hash function h(•) of l_(H)/2 bits has also the one-wayproperty. In that case, when l_(n)≧l_(H), there exists no algorithm AL₃which can output in response to the inputting of the base point (systemkey) P and the public key Q₁ the message M₁ and the single digitalsignature (r₁, s₁) for which the algorithm AL₁ outputs “authenticate” solong as the private key d₁ is unknown.

Demonstration

Now, it is supposed that such algorithm AL₃ exists which can output inresponse to the inputted system key or base point P and the public keyQ₁, the message M₁ and the single digital signature (r₁, s₁) for whichthe verification processing AL₁′ outputs “authenticate” without knowingthe private key d₁. More specifically, it is supposed that suchalgorithm AL₃ exists for which the inputs and the outputs are asfollows:

Input to the algorithm AL₃: system key (base point) P, and public key Q₁

Output from the algorithm AL₃: message M₁, single digital signature (r₁,s₁) where the message M₁ and the single digital signature (r₁, s₁)satisfy the following conditions:

(x₁, y₁)=s₁P−(e₁+r₁)Q₁  (2)

r₁=h(x₁)  (3)

e₁=H(M₁)  (4)

It should be noted that l_(n)≧l_(H) holds true.

On the conditions mentioned above, the number of the outputs from thealgorithm AL₃ is three, i.e., M₁, s₁ and r₁. Accordingly, in the courseof the processing according to the algorithm AL₃, the correct outputvalues make appearance in either one of the orders or sequencesmentioned below: Case 1: Correct output values make appearance in thesequence of s₁, r₁ and M₁. Case 2: Correct output values make appearancein the sequence of r₁, s₁ and M₁. Case 3: Correct output values makeappearance in the sequence of s₁, M₁ and r₁. Case 4: Correct outputvalues make appearance in the sequence of M₁, s₁ and r₁. Case 5: Correctoutput values make appearance in the sequence of r₁, M₁ and s₁. Case 6:Correct output values make appearance in the sequence of M₁, r₁ and s₁.

In the cases 1 and 2 mentioned above, the correct output values of s₁and r₁ make appearance in precedence with the correct value of themessage M₁ making no appearance at a given time point in the course ofthe processing. Since h in the expression (3) represents the hashfunction, the correct output value of the tally x₁ must make appearancein precedence to that of the tally r₁ in the light of the “Lemma 1”stated previously. When the value of the tally x₁ is determined thevalue of the tally y₁ assumes either one of two values ±β because theterm (x₁, y₁) in the expression (2) represents a point on the ellipticcurve E. In correspondence to the value +β or −β of the tally y₁, thehash value e₁ which can satisfy the condition given by the expression(2) is limited to two different values. After the time point of concern,the message M₁ satisfying the condition given by the expression (4) sothat the hash value e₁ assumes either one of the two value must bedetermined, which however contradicts to the fact that “H” in theexpression (4) represents the hash function. Accordingly, the situationscorresponding to the Cases 1 and 2 can not take place.

In the Cases 3 and 4 mentioned above, the correct output value of s₁ andthe message M₁ make appearance in precedence with the correct value ofthe correct output value r₁ making no appearance at a given time pointin the course of the processing. At this time point, the hash value e₁can be determined definitely in accordance with the expression (4).After this time point, the value of the tally r₁ satisfying theconditions given by the expressions (2) and (3) must be determined.However, it will never occur that the correct output value of the tallyr₁ makes appearance at first, being followed by determination of thevalue for the coordinate x1. This is because “h” in the expression (3)represents the hash function. Besides, such case will not occur in whichthe correct output value of x₁ makes appearance in precedence andthereafter the value of r₁ is determined. Because, if otherwise, thediscrete logarithm problem concerning the addition on the ellipse can besolved in conjunction with the expression (2), which contradicts theproposition stated hereinbefore. In other words, the value of r₁ can notbe determined at any time point. Thus, the situations corresponding tothe Cases 3 and 4 can not occur.

In the Cases 5 and 6 mentioned above, the correct output values of thetally r₁ and the message M₁ make appearance in precedence with thecorrect value of the tally s₁ making no appearance at a given time pointin the course of the processing. At this given time point, the hashvalue e₁ can be determined definitely in accordance with the expression(4). After this time point, the value of the tally s₁ satisfying theconditions given by the expressions (2) and (3) must be determined.However, it will never occur that the correct output value of the tallys₁ makes appearance at first, being then followed by determination ofthe value for the coordinate x₁. This is because “h” in the expression(3) represents the hash function and the correct output value of x₁ canmake appearance before the output value of r₁ is determined precedingly.Besides, such case will not occur in which the correct output value ofx₁ makes appearance in precedence and thereafter the value of s₁ isdetermined. Because, if otherwise, the expression (2) can be solvedconcerning the unknown s₁, that is, the discrete logarithm problemconcerning the addition on the ellipse can be solved, which contradictshowever the proposition stated hereinbefore. In other words, the valueof s₁ can not be determined at any time point. Thus, the situationscorresponding to the Cases 5 and 6 can not occur.

Thus, there occurs none of the situations corresponding to the Cases 1to 6 mentioned previously. Thus, the algorithm AL₃ does not exist.

Now, the demonstration is concluded.

By the way, it should be noted that in conjunction with thedemonstration of the Proposition 1 that the algorithm AL₃ may existunless the Proposition 1 that l_(n)≧l_(H) applies valid.

To say in another way, if the condition l_(n)<l_(H) should hold true,there may arise such situation that the message M₁ and the singledigital signature (r₁, s₁) for which the single digital signatureverifying algorithm AL₁′ outputs “authenticated” can be generatedwithout knowing the private key d.

By way of example, let's suppose that in the computation “s=k+d(r+e)(mod n)”, the value of l_(n) is small and hence the value of n is small.Then, the collision-free property of hash value e=H(M) (mod n) maycollapse, incurring such case where computation is performed such thatthe tally s can assume a same value for messages M and M′notwithstanding of the fact that the message M is not same as themessage M′, i.e., M≠M′, as exemplified below.

Let's suppose, by way of example, that the messages M and M′ are writtenapplications for purchasing a car.

Message M

To FT J#&•GH Sales Company

I will purchase the car A at 1,050,000 yens.

To be signed by Takaragi

Message M′

To IG#. Hy8(Jk) Sales Company

I will purchase the car A at 2,050,000 yens.

To be signed by Takaragi

Again suppose that the malicious sales company prepared the writtenapplication for purchase such as the message M and handed it over to Mr.Takaragi under the false pretense that the leading character string “FTJ#•GH” is added for the purpose of ensuring security and that Mr.Takaragi signed the written application (message M) with pleasurebecause of low price of the car A. Later on, Mr. Takaragi receives abill demanding payment of 2,050,000 yens together with the exhibit ofthe message M′ affixed with his signature, to his great surprise.However, verification of the message M′ shows that Mr. Takaragi hassigned the written application or message M′.

In order to exclude positively the injustice such as mentioned above, itis necessary that H represents the hash function which has not only theone-way property but also the collision-free property and that theparameter n relevant to the elliptic curve relation is assigned with alarge value for validating the condition that l_(n)≧l_(H).

It should be additionally mentioned in conjunction with the“Demonstration” described above that the hash function h may be only ofthe one-way property and need not necessarily have the collision-freeproperty. However, in case the hash function h is not of the one-wayproperty, the values which can satisfy the condition given by theexpression (3) may be found by arithmetically determining a variety ofvalues for x by changing s and M while fixing r in the expression (2).The message M and the signature (s, r) found in this way may constituteforged message and signature. For this reason, it is necessarilyrequired that the hash function h is of the one-way property.

Moreover, according to the teaching of the invention, the length of thedigital signature can be shortened.

More specifically, the single digital signature (r₁, s₁) has a bitlength equal to l_(n)+l_(H)/2 (e.g. 240 bits), and thus the length ofthe signature can be shortened when compared with the conventionalsignature length l_(n)+l_(n) (e.g. 320 bits). Furthermore, the length ofthe duple digital signature (r₁, r₂, s₂) is (l_(n)+l_(H)/2+l_(H)/2) bits(e.g. 320 bits), which is significantly shorter than the length of theconventional signature l_(n)+l_(n)+l_(n) (e.g. 480 bits).

Proposition 2

It is presumed that the discrete logarithm problem concerning theaddition on the elliptic curve can not be solved. Additionally, it isassumed that the hash function H(•) of l_(H) bits has the collision-freeproperty as well as the one-way property. Furthermore, it is presumedthat the hash function h(•) of l_(H)/2 bits has the one-way property aswell. In that case, so long as l_(n)≧l_(H), there exists no algorithmAL₄ which can output the duple digital signature (r₁, r₂, s₂) for whichthe algorithm AL₂ outputs “authenticated” without knowing the privatekey d₁.

Demonstration

Now, it is supposed that such algorithm AL₄ exists which generates theduple digital signature (r₁, r₂, s₂) for which the verificationprocessing according to the algorithm AL₂′ outputs “authenticated”without knowing both the private key d₁ and the private key d₂. Namely,presumption is made as follows:

Input to the processing AL₄: system key (base point) P, and public keysQ₁ and Q₂, and

Output from the processing AL₄: messages M₁ and M₂, duple digitalsignature (r₁, r₂, s₂),

where the duple digital signature (r₁, r₂, s₂) satisfies the followingconditions:

 e₁=H(M₁)  (4)

e₂=H (M₂)  (5)

(x₂, y₂)=s₂P−(e₁+r₁)Q₁−(e₂+r₁+r₂)Q₂  (6)

r₂=h(x₂)  (7)

In the course of executing the processing according to the algorithmAL₄, the correct output values make appearance in either one of thesequences mentioned below: Case 1: Correct output values make appearancein the sequence of s₂, r₁ and r₂. Case 2: Correct output values makeappearance in the sequence of r₁, s₂ and r₂. Case 3: Correct outputvalues make appearance in the sequence of s₂, r₂ and r₁. Case 4: Correctoutput values make appearance in the sequence of r₂, s₂ and r₁. Case 5:Correct output values make appearance in the sequence of r₁, r₂ and s₂.Case 6: Correct output values make appearance in the sequence of r₂, r₁and s₂.

In conjunction with the Case 1 to 6 mentioned above, it is noted thatthe computation sequence that the correct output value of the tally r₂is determined in accordance with the expression (7) only after thecorrect output value of the coordinate x has made appearance is commonto all the Case 1 to 6. If otherwise, it contradicts the presumptionthat the hash function h is of the one-way property.

Additionally, the computation sequence that the hash values e₁ and e₂are determined in accordance with the expressions (4) and (5),respectively, only after the correct output values of the messages M₁and M₂ have made appearance is also common to the all the aforementionedCases 1 to 6. If otherwise, it contradicts the presumption that the hashfunction H is of the one-way property and collision-free.

In the Cases 1 and 2, the correct output values of the tallies s₂ and r₁make appearance at first at a given time point in the course ofexecuting the processing whereas the correct output value of the tallyr₂ makes no appearance. After the above-mentioned given time point, thetally r₂ which satisfies the condition given by the expression (6) mustbe determined. In this conjunction, however, the following facts (a),(b) and (c) have to be taken into account.

(a) Such situation does not occur in which the correct output value ofthe tally r₂ makes appearance finally after the appearance of thecorrect hash values e₁ and e₂. More specifically, the computationsequence in this case will be such that the value of the coordinate x₂is determined and then the tally r₂ determined. However, this means thatthe equation (6) can be solved with the tally r₂ as the unknown, whichcontradicts the presumption that the discrete logarithm problem on theelliptic curve is insolvable.

(b) Such situation can not occur that the correct hash value e₂ isoutputted only after the appearance of the correct output values for thehash value e₁ and the tally r₂, because, if otherwise, the equation (6)is solved with the hash value e₂ as the unknown, which contradicts thepresumption that the discrete logarithm problem on the elliptic curve isinsolvable.

(c) Such situation can not occur that the correct output value for thehash value e₁ makes appearance only after the appearance of the correctoutput voltages for the hash value e₂ and the tally r₂, because, ifotherwise, the equation (6) is solved with the hash value e₂ as theunknown, which of course contradicts the presumption that the discretelogarithm problem on the elliptic curve is insolvable.

In the Cases 3 and 4, the correct output values of the tallies s₂, r₂and x₂ make appearance at first at a given time point in the course ofexecuting the processing, whereas the correct output value of the tallyr₂ makes no appearance. After the above-mentioned given time point, thetally r₁ which satisfies the condition given by the expression (6) mustbe determined. Such situation does not occur in which the correct outputvalue of the tally r₁ makes appearance finally after the appearance ofthe correct hash values e₁ and e₂. Supposing that the correct outputvalue for the hash value e₂ makes appearance finally, then it follows:

(i) If the private keys d₁ and d₂ are known, the expression (6) can bemodified as follows:

(x₂, y₂)={s₂−d₁(e₁+r₁)}P−(e₂+r₁+r₂)Q₂  (8)

The above equation (8) is solvable with a tally r₁ as the unknown, whichof course contradicts the presumption that the discrete logarithmproblem on the elliptic curve is insolvable.

(ii) If the private key d₂ is known with the private key d₁ beingunknown, the expression (6) can be modified as follows:

(x₂, y₂)={s₂−d₂(e₂+r₁+r₂)}P−(e₁+r₁)Q₁  (9)

The above equation (9) is solvable with the tally r₁ as the unknown,which is in contradiction to the presumption that the discrete logarithmproblem on the elliptic curve is solvable.

(iii) When neither the private key d₂ nor the private key d₁ is known,the equation (6) is solvable with the tally r₁ as the unknown, which isin contradiction to the presumed insolvability of the discrete logarithmproblem on the elliptic curve.

In view of the foregoing, it can be concluded that the correct outputvalue for the tally r₁ can not make appearance finally after the outputof the correct hash values e₁ and e₂.

(b) Such situation can not occur that the correct output value for thehash value e₁ makes appearance only after the appearance of the correctoutput voltages for the hash value e₁ and the tally r₁, because, ifotherwise, the equation (6) is solved with the hash value e₁ as theunknown, which of course contradicts the presumption that the discretelogarithm problem on the elliptic curve is insolvable.

(c) Such situation can not occur that the correct output value for thehash value e₁ makes appearance only after the appearance of the correctoutput voltages for the hash value e₁ and the tally r₁, because, ifotherwise, the equation (6) is solved with the hash value e₂ as theunknown, which of course contradicts the presumption that the discretelogarithm problem on the elliptic curve is insolvable. Thus, Cases 3 and4 can not occur.

In the Cases 5 and 6, the correct output values of the tallies r₁, r₂and x₂ make appearance at first at a given time point in the course ofexecuting the processing whereas the correct output value of the tallys₂ makes no appearance. After the above-mentioned given time point, thetally s₂ which satisfies the condition given by the expression (6) mustbe determined. In this conjunction, however, the following facts (a),(b) and (c) have to be taken into account. However, in that case, (a)such situation does not occur in which the correct output value of thetally s₂ makes appearance finally after the appearance of the correcthash values e₁ and e₂. Because, this means that the equation (6) can besolved with the tally s₂ as the unknown, which contradicts thepresumption that the discrete logarithm problem on the elliptic curve isinsolvable. Further, (b) such situation can not occur that the correcthash value e₂ is outputted only after the appearance of the correctoutput values for the hash value e₁ and the tally s₂, because, ifotherwise, the equation (6) is solved with the hash value e₂ as theunknown, which contradicts the presumption that the discrete logarithmproblem on the elliptic curve is insolvable. Furthermore, (c) suchsituation can not occur that the correct output value for the hash valuee₁ makes appearance only after the appearance of the correct outputvoltages for the hash value e₂ and the tally s₂, because, if otherwise,the equation (6) is solved with the hash value e₁ as the unknown, whichof course contradicts the presumption that the discrete logarithmproblem on the elliptic curve is insolvable. Thus, Cases 5 and 6 can notoccur.

From the foregoing, it is concluded that none of the Cases 1 to 6 canoccur and thus the algorithm AL₄ does not exist.

Now, the demonstration is concluded.

As will now be appreciated from the foregoing description, there havebeen provided a public key encryption method of high security and asystem for carrying out the same.

Further, with the public key encryption method and the system accordingto the invention, the length of the digital signature can be shortened.

Additionally, according to the present invention, the public keyencryption method and the system can be so realized that the length ofthe digital signature has no dependency on the length of the order ofthe base point (system key).

Many features and advantages of the present invention are apparent fromthe detailed description and thus it is intended by the appended claimsto cover all such features and advantages of the system which fallwithin the true spirit and scope of the invention. Further, sincenumerous modifications and combinations will readily occur to thoseskilled in the art, it is not intended to limit the invention to theexact construction and operation illustrated and described. Accordingly,all suitable modifications and equivalents may be resorted to, fallingwithin the spirit and scope of the invention.

What is claimed is:
 1. A digital signature generating method forgenerating a digital signature authenticating electronically a signatureaffixed to a given message, M, by resorting to a public key encryptionscheme, comprising the steps of: determining for said message, M, afirst hash value, e, satisfying a condition that e=H(M) by using a firsthash function, H; determining for a numerical value, x, obtained fromtranslation of a random number and independent of said message, a secondhash value, r, satisfying a condition that r=h(x) by using a second hashfunction, h, whose output value is shorter than that of said first hashfunction, H, said second hash value being independent of said message;and arithmetically determining and outputting said digital signature byusing said first hash value, e, and said second hash value, r, asdetermined.
 2. A digital signature generating method according to claim1, wherein for generating a digital signature (r₁, s₁) for a givenmessage, M₁, said method comprises the steps of: determining a hashvalue, e₁, satisfying a condition that e₁=H(M₁) by using said first hashfunction, H; generating a random number, k₁; determining an element, R₁,by multiplying an element, P, of an abelian group by said random number,k₁; determining a first numerical value, r₁, satisfying a condition thatr₁=h(R₁) by using the second hash function, h, whose output value isshorter than the output value of the first hash function, H; determininga second numerical value, s₁, satisfying a condition thats₁=k₁+d₁(e₁+r₁) (mod n) by using the order, n, of said element, P, ofsaid abelian group and a private key, d₁; and outputting a set of saiddetermined numerical values (r₁, s₁) as a digital signature.
 3. Adigital signature generating method according to claim 2, wherein saidelement, P, of said abelian group corresponds to a point, P, on anelliptic curve.
 4. A digital signature verifying method for verifying adigital signature authenticating electronically a signature affixed to agiven message, M, by resorting to a public key encryption scheme,comprising the steps of: determining for said message, M, a first hashvalue, e, satisfying a condition that e=H(M) by using a first hashfunction, H; determining a second hash value, r′, from a numericalvalue, x, said numerical value, x, being obtained from arithmeticoperation of an inputted digital signature (r, s), a public key, Q, andan element, P, and which has been selected independently, said secondhash value, r′, satisfying a condition that r′=h(x) from said first hashvalue, e, said digital signature (r, s), said element, P, and saidpublic key, Q, by using a second hash function, h, whose output value isshorter than that of said first hash function, H, said second hash valvebeing independent of said message; and comparing said second hash value,r′, with a tally, r, of said inputted digital signature to therebyobtain a result of verification of said inputted digital signature.
 5. Adigital signature verifying method according to claim 4, wherein forverifying a digital signature (r₁, s₁ ) of a given message, M₁, saidmethod comprises the steps of: determining a hash value, e₁, satisfyinga condition that e₁=H(M₁); inputting a public key, Q₁, generatedpreviously so as to satisfy a condition Q₁=d₁P, where d₁ represents aprivate key, said public key, Q₁, having been registered; determiningarithmetically a point, R₁, of an abelian group, said point, R₁, beinggiven by R₁=s₁P−(e₁+r₁) Q₁; determining a hash value, r₁′, satisfying acondition that r₁′=h(R₁); outputting a data indicating that said digitalsignature is authenticated, when said hash value, r₁′, coincides withsaid tally, r, of said digital signature; and outputting a dataindicating that said digital signature is not authenticated unless saidhash value, r₁′, coincides with said tally, r₁, of said digitalsignature.
 6. A digital signature verifying method according to claim 5,wherein said abelian group includes an elliptic curve.
 7. A digitalsignature generating method for generating a multiple digital signatureauthenticating electronically signatures affixed to messages and/orcomments, M_(i), as created and/or added sequentially by N users i(where i=1, . . . , N) by using a public key encryption scheme,comprising the steps of: (a) determining for a given one of saidmessages, M_(i), a first hash value, e_(i), satisfying a condition thate_(i)=H(M_(i)) by using a first hash function, H; (b) determining for anumerical value, x_(i), obtained from translation of a random number andindependent of said message a second hash value, r_(i), satisfying acondition that r_(i)=h(x_(i)) by using a second hash function, h, whoseoutput value is shorter than that of said first hash function, H,wherein the value r_(i) is part of data configuring a digital signature,said second hash valve being independent of said message; (c) executingsaid steps (a) and (b) for each of said users i (where i=1, . . . , N);and (d) determining arithmetically said multiple digital signatures onthe basis of the hash values (e_(i) and r_(i)) determined in said step(c).
 8. A multiple digital signature generating method according toclaim 7, wherein for generating said multiple digital signature by useri (i≧2), said method comprises the steps of: inputting a set of numericvalues (x_(i−1), y_(i−1)) obtained from translation of random numbers;computing a hash value e_(i)=H(M_(i)); generating a random number k_(i);computing a point k_(i)P=(x, y); computing a point (x_(i),y_(i))=(x_(i−1), y_(i−1))+(x, y); computing a hash value r_(i)=h(x_(i));determining by using a private key, d_(i), a tally, s_(i), satisfying acondition given by the following expression:${s_{i} = {s_{i - 1} + k_{i} + {{d_{i}( {e_{i} + {\sum\limits_{k = i}^{i}\quad r_{k}}} )}\quad ( {{mod}\quad n} )}}};$

 and outputting a set of numerical values (r₁, . . . , r_(i), s_(i)) assaid multiple digital signature, wherein the value s_(i) is part of dataconfiguring a digital signature.
 9. A multiple digital signatureverifying method according to claim 7, wherein for generating a multipledigital signature by users i (i≧2), said method comprises the steps of:inputting (i−1) messages and/or comments (M₁, . . . M_(i−1)) and(i−1)-tuple digital signature (r_(i), . . . , r_(i−1), s_(i−1)) issuedby an immediately preceding user (i−1); repeating computation of hashvalues e_(k)=H(M_(k)), where k represents 1 to (i−1); inputtingrepetitionally public keys Q_(k) generated so as to satisfy a conditionthat Q_(k)=d_(k)P, where k represents 1 to (i−1); computing an element(R_(i−1)) of an abelian group in accordance with${( R_{i - 1} ) = {{S_{i - 1}P} - {\sum\limits_{k = 1}^{i - 1}\quad ( {e_{k} + {\sum\limits_{M = 1}^{k}\quad r_{m}}} )_{Q^{k}}}}};$

 computing a hash value (r′_(i−1)=h(R_(i−1)); issuing data indicating“authenticated” when said hash value, r_(i−1)′, coincides with a tally,r_(i−1), of said (i−1)-tuple digital signature; and issuing dataindicating “not-authenticated” unless said hash value, r_(i−1)′,coincides with said tally, r_(i−1).
 10. A digital signature verifyingmethod according to claim 9, wherein said abelian group includes anelliptic curve.
 11. A digital signature verifying method for verifying amultiple digital signature authenticating electronically signaturesaffixed to messages and/or comments, M_(i), as created and/or addedsequentially by N users i (where i=1, . . . , N) by resorting to apublic key encryption scheme, comprising the steps of: (a) determiningfor the inputted message, M_(i), a first hash value, e_(i), satisfying acondition that e_(i)=H(M_(i)) by using a first hash function, H; (b)determining for a numerical value, x_(i), obtained by arithmeticoperation of an inputted multiple digital signature (r_(i), s_(i)), apublic key, Q, and an element, P, and independent of said message, asecond hash value, r_(i)′, satisfying a condition that r_(i)′=h(x_(i))on the basis of said first hash value, e_(i), said digital signature(r_(i), s_(i)), said element, P, and said public key, Q, by using asecond hash function, h, whose output value is shorter than that of saidfirst hash function, H, said second hash value being independent of saidmessage; (c) executing said steps (a) and (b) for each of said users i(where i represents integers “1” to “N” inclusive, respectively); and(d) comparing each of said hash values, r_(i)′, determined in said step(c) with each of said tallies, r, of said inputted multiple digitalsignature to thereby obtain results of verification of said inputteddigital signature.
 12. A digital signature generating system forgenerating a digital signature authenticating electronically a signatureaffixed to a given message, M, by resorting to a public key encryptionscheme, comprising: processing means for determining for said message,M, a first hash value, e, satisfying a condition that e=H(M) by using afirst hash function, H; processing means for determining for a numericalvalue, x, obtained from translation of a random number and independentof said message, a second hash value, r, satisfying a condition thatr=h(x) by using a second hash function, h, whose output value is shorterthan that of said first hash function, H, said second hash value beingindependent of said message; and arithmetic/output means forarithmetically determining and outputting said digital signature byusing said first hash value, e, and said second hash value, r, asdetermined.
 13. A digital signature generating system according to claim12, wherein for generating a digital signature (r₁, s₁) for a givenmessage, M₁, said system comprises: means for determining a hash value,e₁, satisfying a condition that e₁=H(M₁) by using the first hashfunction, H; means for generating a random number, k₁; means fordetermining an element, R₁, by multiplying an element P, of the abeliangroup by said random number, k₁; means for determining a first numericalvalue, r₁, satisfying a condition that r₁=h(R₁) by using the second hashfunction, h, whose output value is shorter than that of said first hashfunction, H; means for determining a second numerical value, s₁,satisfying a condition that s₁=k₁+d₁(e₁+r₁) (mod n) by using order, n₁,of said element, P, of the abelian group and a private key, d₁; andmeans for outputting a set of said determined numerical values (r₁, s₁)as a digital signature.
 14. A digital signature verifying systemaccording to claim 13, wherein said abelian group corresponds to anelliptic curve.
 15. A digital signature verifying system for verifying adigital signature authenticating electronically a signature affixed to agiven message, M, by resorting to a public key encryption scheme,comprising: first arithmetic means for determining for said givenmessage, M, a first hash value, e, satisfying a condition that e=H(M) byusing a first hash function, H; second arithmetic means coupled to saidfirst arithmetic means for determining for a numerical value, x,obtained from arithmetic operation of an inputted digital signature (r,s), a public key, Q, and a base point, P, and independent of saidmessage, a second hash value, r′, satisfying a condition that r′=h(x)from said first hash value, e, said digital signature (r, s), said basepoint, P, and said public key, Q, by using a second hash function, h,whose output value is shorter than that of said first hash function, H,said second hash value being independent of said message; andverification result output means coupled to said first and secondarithmetic means for comparing said hash value, r′, with a tally, r, ofsaid inputted digital signature to thereby obtain a result ofverification of said inputted digital signature.
 16. A digital signatureverifying system according to claim 15, wherein for verifying a digitalsignature (r₁, s₁) of a given message, M₁, said system comprises: meansfor determining a hash value, e₁, satisfying a condition that e₁=H(M₁);means for inputting a public key, Q₁, generated previously so as tosatisfy a condition Q₁,=d₁P, where d₁ represents a private key, saidpublic key, Q₁, having been registered; means for determiningarithmetically an element, R₁, of an abelian group, said element, R₁,being given by R₁=s₁P−(e₁+r₁)Q₁; means for determining a hash value,r₁′, satisfying a condition that r₁′=h(R₁); means for outputting a dataindicating that said digital signature is authenticated, when said hashvalue, r₁′, coincides with a tally, r₁, of said digital signature; andmeans for outputting a data indicating that said digital signature isnot authenticated, unless said hash value, r₁′, coincides with saidtally, r₁, of said digital signature.
 17. A digital signature verifyingsystem according to claim 16, wherein said abelian group includes anelliptic curve.
 18. A digital signature generating system for generatinga multiple digital signature authenticating electronically signaturesaffixed to message and/or comments, M_(i), as created and/or addedsequentially by N users' units i (where i=1, . . . , N) by using apublic key encryption scheme, comprising: first processing means fordetermining for a given one of said messages, M_(i), a first hash value,e_(i), satisfying a condition that e=H(M₁) by using a first hashfunction, H; second processing means for determining for a numericalvalue, x_(i), obtained from translation of a random number andindependent of said message a second hash value, r_(i), satisfying acondition that r_(i)=h(x_(i)) by using a second hash function, h, whoseoutput value is shorter than that of said first hash function, H, saidsecond hash value being independent of said message; third processingmeans for executing the processings of said first and second processingmeans for each of said users' units i (where i=1, . . . , N); andarithmetic/output means for determining arithmetically said multipledigital signature on the basis of said hash values (e_(i) and r_(i))determined by said third processing means.
 19. A multiple digitalsignature generating system according to claim 18, wherein forgenerating said multiple digital signature, each of said users' units i(i≧2) includes: means for inputting said set of numerical values(x_(i−1), y_(i−1)) obtained from the translation of random numbers;means for computing a hash value given by e₁=H(M_(i)); means forgenerating a random number k_(i); means for computing a point given byk₁P=(x, y); means for computing a point given by (x₁, y₁)=(x_(i−1),y_(i−1))+(x, y); means for computing a hash value given by r₁=h(x_(i));means for determining a numerical value, s, by using a private key,d_(i), said numerical value, s_(i), satisfying a condition given by${s_{i} = {s_{i - 1} + k_{i} + {{d_{i}( {e_{i} + {\sum\limits_{k = i}^{i}\quad r_{k}}} )}\quad ( {{mod}\quad n} )}}};$

 and means for outputting a set of determined numerical values (r₁, . .. , r_(i), s_(i)) as the digital signature.
 20. A digital signatureverifying system for verifying a multiple digital signatureauthenticating electronically signatures affixed to messages and/orcomments, M_(i), as created and/or added sequentially by N users's uniti (where i=1, . . . , N) by resorting to a public key encryption scheme,comprising: first arithmetic means for determining for the inputtedmessage, M_(i), a first hash value, e_(i), satisfying a condition thate_(i)=H(M_(i)) by using a first hash function, H; second arithmeticmeans for determining for a numerical value, x_(i), obtained byarithmetic operation of the inputted multiple digital signature (r_(i),s_(i)), a public key, Q, and a base point, P, and independent of saidmessage, a second hash value, r_(i)′, satisfying a condition thatr_(i)′=h(x_(i)) on the basis of said first hash value, e_(i), saiddigital signature (r_(i), s_(i)), said base point, P, and said publickey, Q, by using a second hash function, h, whose output value isshorter than that of said first hash function, H, said second hash valuebeing independent of said message; processing means for executingrepetitionally the arithmetic operation of said first and secondarithmetic means for each of said users's units i (where i representsintegers “1” to “N” inclusive, respectively); and verifying means forcomparing each of said hash values, r_(i), determined by said processingmeans with each of said tallies, r, of said inputted multiple digitalsignature to thereby obtain results of verification of said inputteddigital signature.
 21. A multiple signature verifying system accordingto claim 20, wherein for authenticating a multiple digital signature byusers' units i (i≧2), each of said users' units includes: means forinputting (i−1) messages and/or comments (M₁, . . . , M_(i−1)) and(i−1)-tuple digital signature (r₁, . . . , r_(i−1), s_(i−1)) issued byan immediately preceding user's units (i−1); means for repeatingcomputation of hash values e_(k)=H(M_(k)), where k represents 1 to(i−1); means for inputting repetitionally public keys Q_(k) generated soas to satisfy a condition that Q_(k)=d_(k)P, where k represents 1 to(i−1); means for computing an element, R_(i−1), of an abelian group inaccordance with${( R_{i - 1} ) = {{S_{i - 1}P} - {\sum\limits_{k = 1}^{i - 1}\quad ( {e_{k} + {\sum\limits_{M = 1}^{k}\quad r_{m}}} )_{Q^{k}}}}};$

means for computing hash values r_(i−1)′=h(R_(i−1)); means for issuingdata indicating that said multiple digital signature is authenticatedwhen said hash value, r_(i−1)′, coincides with a tally, r_(i−1), of said(i−1)-tuple digital signature, and issuing data indicating that saidmultiple digital signature is not-authenticated unless said hash value,r_(i−1)′, coincides with said tally, r_(i−1).
 22. A digital signatureverifying system according to claim 21, wherein said abelian groupincludes an elliptic curve.
 23. A computer-readable recording medium forstoring a program which is composed of instructions executed by acomputer and which is for carrying out a method for generating a digitalsignature authenticating electronically a signature affixed to a givenmessage, M, by resorting to a public key encryption scheme, said digitalsignature generating method comprising the steps of: determining forsaid message, M, a first hash value, e, satisfying a condition thate=H(M) by using a first hash function, H; determining for a numericalvalue, x, obtained from translation of a random number and independentof said message a second hash value, r, satisfying a condition thatr=h(x) by using a second hash function, h, whose output value is shorterthan that of said first hash function, H, said second hash value beingindependent of said message; and arithmetically determining andoutputting said digital signature by using said first hash value, e, andsaid second hash value, r, as determined.
 24. A computer-readablerecording medium for storing a program which is composed of instructionsexecuted by a computer and which is for carrying out a method forverifying a digital signature authenticating electronically a signatureaffixed to a given message, M, by resorting to a public key encryptionscheme, said digital signature generating method comprising the stepsof: determining for said message, M, a first hash value, e, satisfying acondition that e=H(M) by using a first hash function, H; determining fora numerical value, x, obtained from arithmetic operation of an inputteddigital signature (r, s), a public key, Q, and a base point, P, andindependent of said message, a second hash value, r′, satisfying acondition that r′=h(x) on the basis of said first hash value, e, saiddigital signature(r, s), said base point, P, and said public key, Q, byusing a second hash function, h, whose output value is shorter than thatof said first hash function, H, said second hash value being independentof said message; and comparing said hash value, r′, with a tally, r, ofsaid inputted digital signature to thereby obtain a result ofverification of said inputted digital signature.
 25. A method ofgenerating and verifying a digital signature using a public keyencryption scheme in a system in which a digital signature is generatedby a given one computer and transmitted via a network to anothercomputer to be verified thereby, for generating a digital signature (r₁,s₁) for a given message, M₁, by said given one computer, said methodcomprises: determining a hash value, e₁, satisfying a condition thate₁=H(M₁) by using a first hash function, H; generating a random number,k₁; determining a point, R₁, by multiplying an element, P, of an abeliangroup by said random number, k₁; determining a first numerical value,r₁, satisfying a condition that r₁=h(R₁) and being determinedindependent of said message by using a second hash function, h, whoseoutput value is shorter than that of said first hash function, H, saidfirst numerical value being independent of said message; determining asecond numerical value, s₁ , satisfying a condition that s₁=k₁+d₁(e₁+r₁)(mod n) on the basis of the order, n, of said element, P, of saidabelian group and a private key, d₁; and sending a set of saiddetermined numerical values (r₁, s₁) as a digital signature to saidanother computer via said network; and for verifying said digitalsignature (r₁, s₁) by said another computer, said method comprises:fetching said digital signature (r₁, s₁) sent from said given onecomputer, said element, P, a public key, Q, and order, n, from a publicfile; determining a hash value, e₁, satisfying a condition thate₁=H(M₁); inputting a public key, Q₁, generated previously so as tosatisfy a condition Q₁=d₁P, where d₁ represents a private key;determining arithmetically a point, R₁, of an abelian group, said point,R₁, being given by R₁=s₁P−(e₁+r₁)Q₁; determining a hash value, r₁′,satisfying a condition that r₁′=h(R₁); outputting a data indicating thatsaid digital signature is authenticated, when said hash value, r₁′,coincides with a tally, r, of said digital signature; and outputtingdata indicating that said digital signature is not authenticated unlesssaid hash value, r₁′, coincides with said tally, r₁, of said digitalsignature.